Re: Using PF to QoS on tun interface

Wed, 02 Jan 2008 11:40:21 -0800 

On Jan 2, 2008, at 10:17 AM, Nick Golder wrote:


I inherited a system that is attempting (poorly) to QoS traffic going
across a tun interface (which is being used by OpenVPN).  Examples,
books, and ML suggest to tag on the internal interface ingress traffic
and QoS on the external interface egress traffic.



Treat the tun interface as a "normal" one. I recently had the same  
issue, and simply adapted TCP ACK priority to the interface, and found  
that worked fine. I'm currently testing a smaller MTU to help with  
fragmentation.


Scrub, by the way, also seems to work quite well.


Since the traffic that I want to QoS doesn't really have an egress
interface to QoS on, I am trying to figure out a way to properly QoS
the traffic.

Here is a quick map on the traffic:

rl0 <--> tun0 <--> OpenVPN <--> rl1 <--> Internet


i think you're missing a tunneling interface somewhere.


The traffic I want to QoS on is ingress on rl0 which in turn is also
ingress on tun0.  By the time it hits rl1, it is OpenVPN traffic.


Could you explain this again?


I've been doing foolish interface setup for a while now. My own  
"privacy VPN" I have running to a co-located box looks a bit like this:



[internet] <--> [external interface] <--> [tun0] <--> [openvpn] <-->  
[external interface]


I also have a LAN to colo box setup, using openvpn on a different port.


Any recommendations on how to handle this?



Treat tun0 as a normal altq interface. So far, there's not been any  
"real" issues with it co-existing with my normal altq rules for non- 
VPN traffic on the router. The one thing I've not had is a "interface  
speed conflict", since I arbitrarily reduced the bandwidth to somewhat  
less than my external interface.


For my soekris LAN gateway:


altq on tun0 priq bandwidth 400Kb queue { vpn_tcp_ack, vpn_def,  
vpn_null }

queue vpn_tcp_ack priority 7
queue vpn_def priority 1 priq(default)
queue vpn_null priority 0

pass out quick on tun0 proto tcp from ($int_if:network) to any \
        queue (vpn_def, vpn_tcp_ack)

pass out quick on tun0 proto { udp icmp } from ($int_if:network) to  
any \

        queue vpn_def























					Reply via email to